Why can't #nostr use the…

Why can't #nostr use the same ID as #ssh ?

#askNostr

Does it make sense ?? #vibe

To configure sshd (the OpenSSH server) to only allow authentication using nPUBs (Nostr public keys), you'll need to integrate an external authentication mechanism, as OpenSSH does not natively support Nostr's nPUB-based authentication out of the box.

However, if you're referring to using nPUBs as a way to authenticate users, you have a few conceptual paths:

---

1. Clarify Intent: nPUB ≠ SSH Key

An nPUB is a Nostr public key, not an SSH public key. So SSHD won’t recognize it directly.

If your goal is to use Nostr for authentication (like verifying a signed challenge with a Nostr key), you'd need a custom PAM module or similar.

---

2. Possible Approaches to Use nPUBs with SSHD

A. Custom PAM Module for Nostr

You could create a PAM (Pluggable Authentication Module) to:

1. Prompt the user for a Nostr signature on login.

2. Validate the signature using the nPUB.

3. Grant access if valid.

Steps:

Write a PAM module that:

Sends a challenge to the user (e.g., via a web/Nostr relay).

Verifies the signed message using the nPUB (ed25519 crypto).

Modify /etc/ssh/sshd_config:

UsePAM yes
ChallengeResponseAuthentication yes

B. SSH Keys Derived from nPUBs

If you're using ed25519 keys in both SSH and Nostr, you could reuse the private key (with caution) and derive a corresponding SSH key:

1. Extract the private key used in Nostr.

2. Convert it into OpenSSH format (ed25519).

3. Place the corresponding public key in ~/.ssh/authorized_keys.

This works only if you're fine using the same key for both.

> Note: This is not using nPUBs directly, but allows the same cryptographic identity.

---

3. Example: SSH Key Reuse (Not Recommended for Secure Separation)

If your Nostr identity uses an ed25519 private key, and you have it as a hex string:

echo "" | xxd -r -p > nostr.raw
ssh-keygen -y -f nostr.raw > nostr.pub

Then place nostr.pub in ~/.ssh/authorized_keys.

Again, this reuses the private key rather than using nPUBs per se.

---

4. Real-World Alternative: Use a Nostr-Aware Auth Proxy

Build a small server (in Go, Rust, or Python) that:

Accepts an SSH connection.

Runs a Nostr signature verification flow.

Spawns a shell if the verification passes.

This would bypass sshd's default auth flow entirely.

---

If you'd like, I can help you build one of these (e.g., a Nostr-based PAM module or a small Go/Rust proxy server for this purpose). Let me know how deep you'd like to go!

This post and comments are published on Nostr.

← notes and posts